Business Solutions

Security

Analytics

Accessibility

Inherent Privacy

Immunity from web-focused Legislation

Ownership

Semantic Data

Security

Making web applications safe is in the best interest of all organizations and the general economy. Providing a clearly defined set of web application security best practices will advance security professionals' ability to anticipate and rapidly address potential threats to their enterprise.Yuval Ben-Itzhak, CTO and Co-Founder KaVaDo

Current Security State of the Web
(part 1 of 3)

Over
286 million web-attack malware
variants observed in 2010 alone
1

The volume of Web-based attacks per day
increased by 93 percent
in 2010 compared to 2009.1

With 431 million adult victims globally in the past year and at an
annual price of $388 billion
globally based on financial losses and time lost, cybercrime costs the world significantly more than the global black market in
marijuana,
cocaine
and
heroin
combined ($288 billion).2

Current Security State of the Web
(part 3 of 3)

Today by one estimate,
70% of all websites
are open to XSS attacks on their users.1

President Obama called the cyber threat one of the most serious economic and national security challenges we face as a nation. I believe the cyber threat is an existential one, meaning that a major cyber attack could
potentially wipe out whole companies. It could shut down our electric grid or water supply. It could cause serious damage to parts of our cities, and ultimately even kill people.2

A6: Security Misconfiguration- This threat can only be solved by proper security management, however the heightened security posture provided by Mail Markup Language will offer some mitigation in this area

A7: Insecure Cryptographic Storage - NA, not client-side related

A8: Failure to Restrict URL Access - NA, not client-side related

A9: Insufficient Transport Layer Protection

A10: Unvalidated Redirects and Forwards

A1: Injection- Solved on the client-side where the threat is least severe

A6: Security Misconfiguration- This threat can only be solved by proper security management, however the heightened security posture provided by Mail Markup Language will offer some mitigation in this area

A7: Insecure Cryptographic Storage - NA, not client-side related

A8: Failure to Restrict URL Access - NA, not client-side related

A9: Insufficient Transport Layer Protection- Not a client-side related issue, though it can be largely nullified by Mail Markup Language as strongly encourages sharing of public keys in advance of PKI encryption

A10: Unvalidated Redirects and Forwards

A1: Injection- Solved on the client-side where the threat is least severe

A6: Security Misconfiguration- This threat can only be solved by proper security management, however the heightened security posture provided by Mail Markup Language will offer some mitigation in this area

A7: Insecure Cryptographic Storage - NA, not client-side related

A8: Failure to Restrict URL Access - NA, not client-side related

A9: Insufficient Transport Layer Protection- Not a client-side related issue, though it can be largely nullified by Mail Markup Language as strongly encourages sharing of public keys in advance of PKI encryption

A10: Unvalidated Redirects and Forwards- This technology will not stop websites from redirecting to malicious websites, but it can partially elminate this problem by encouraging use of email opposed to the web

Mail Markup Language and Security

Mandatory media type description and then can only be executed as that described media type.

Email is inherently private

No convention to supply scripting in the context of the document

Strongly encourages PKI encryption.

No malicious redirection in the context of email.

Mandatory media type description and then can only be executed as that described media type.

Email is inherently private

Nonrepudiation

Nonrepudiation is the practice of eliminating a communication sender's challenge to sending a communication in question.

This does not exist on the web without considerable sophisticated help, because from a technology perspective everybody is always anonymous.

This is regarded as an important form of security in email for the transfering of liability.

Analytics

Because web analytics tools are more complex than chisels, we have leapt to the hopeful conclusion that the action of buying and installing a web analytics tool is a guarantee of online success. Insight and action are expected to be delivered by the tool, without any assistance from humans (except for buying and installing). And that's why web analytics tools are seen to fail.June Li, Click Insight

Analytics without Scripting or Cookies

In a properly designed email environment there is no need for script, tracking pixels, cookies, or other artifacts. Users and data can be tracked in one of three ways.

On the email server
- Email servers provide a completely different purpose than web servers. Email servers, from the perspective of content and media, should be thought of as an invisible proxy where analytics can be gathered, similar to Adobe Insight. The only difference is that the data would be more reliable on email as everything is captured without a tracking pixel.

Through logging of email accounts
- This would be comparable in function and limitation to web session tracking from the webserver.

Tracking pixel in the content body
- Spammers and marketers already do this. Without something like Mail Markup Language this is the only option for email. This is substantially less reliable than the other options and is
equivalent to web analytics.

Inherent Privacy

Privacy Is Not Security

Privacy is a legal classification where security is a defensive practice

Security cannot guarantee privacy, but laws may guarantee privacy

Privacy and security are separate functions with separate intentions devised each by unrelated parties

The most critical mistake in the understanding of privacy is to conclude it is somehow related to security

Email is Private, Web is Public

In the United States email inherits from Katz v US, which established the
expectation of privacy
test.

In the United States the only legal limitation upon email privacy is a limited timespan of 180 days whereafter the communication transfers status from
private
to
protected
status due to the Electronic Communications Privacy Act.

There is no uniform law or policy establishing
web privacy.

In conformance to the test provide by Katz v US the
World Wide Web is inherently public.

Web Privacy Failure
(part 1 of 2)

'Social media has become the new public record of our time,' says Dixon. 'And that information can affect your employment and your credit." Delete yourself from the Web'.1

Used to be that privacy was about safeguarding personal space — keeping voyeurs and eavesdroppers at bay. Today, says Larry Ponemon of privacy think tank Ponemon Institute, it's also about staying out of the clutches of social media companies such as Google and Facebook.1

Web Privacy Failure
(part 2 of 2)

What this all means is that protecting individual privacy remains an externality for many companies, and that basic market dynamics won't work to solve the problem.1

The absence of privacy rules imposes expenses on businesses that many industry-sponsored studies ignore when calculating the costs of privacy. For example, consumers routinely abandon shopping carts on websites because of demands for too much personal information. Analysts estimate that Internet retail
sales lost due to privacy
concerns may be as much as
$18 billion.2

Why has privacy on the web failed?

The web is inherently public. Creating islands of privacy in a public medium is expensive and unreliable.

Ad revenue is harmed by hiding information from the public. 'The Federal Trade Commission's proposed privacy mechanism could cause a major shift in the online advertising industry, as companies that have relied on consumers' browsing history try to make up for what could be billions in lost revenue'.1

Information transmission over the web, HTTP protocol, works like a broadcast. Information is a response to anonymous requests no different than turning on the radio or television.

In the returned source code look for a secret key and an authorization key to allow automated access.

If the authorization information is not found in the first search result then try the next source code result.

This unauthorized access is legal because the web is inherently public and authorization was disclosed in that public medium. The Amazon Terms Of Service2 and the Service Level Agreement3 offer no recource for this. With such access I can take your data and delete your account, legally.

Immunity From Web-Focused Legislation

A service provider shall take technically feasible and reasonable measures designed to prevent access by its subscribers located within the United States to the foreign infringing site (or portion thereof) that is subject to the order, including measures designed to prevent the domain name of the foreign infringing site (or portion thereof) from resolving to that domain name's Internet Protocol address. Such actions shall be taken as expeditiously as possible, but in any case within 5 days after being served with a copy of the order, or within such time as the court may order.H.R.3261, Stop Online Piracy Act

Email = Due Process, Web = Civil Liability

Violations are
immediately known on the web
without prior restraint. Discovery of violations in
email requires a warrant
or subpoena to detect before there can be any prosecute. The result is that there is no protection afforded from the web and violations can be assessed en masse where neither apply to email.

Due process on the web does not apply to consumers, at least not directly. On the web due process only applies to access of data by the government from service providers.
In email, however, due process applies equally to service providers and end users
because any intrusion violates either privacy or protection upon the data.

Legal violations are rarely investigated in email with exception to felonies, such as child pornography, and exception to evidence gathering for civil violations not directly related to media content distributed via email.

Ownership

Data ownership refers to both the possession of and responsibility for information. Ownership implies power as well as control. The control of information includes not just the ability to access, create, modify, package, derive benefit from, sell or remove data, but also the right to assign these access privileges to others.David Loshin
President, Knowledge Integrity, Inc.

Web Service Providers Are the Data Owners

In email an author is explicitly known by email address, and so ownership is inherent to the author.

Since every user of HTTP is always anonymous the author is not known, but the web server is known. As a result data ownership on the web, when in question, resides at the service provider.

Web service providers typically document their own position on ownership with a
Terms of Service
agreement.

Google's New Universal Terms of Service

New TOS replaces existing various agrees for different services with a single agreement across all services

New TOS applies equally to search and their email service, GMail.

New TOS will continue to apply after use of services ends.

New TOS claims to allow owners to retain ownership while licensing Google to:
use, host, store, reproduce, modify,
create derivative works
(such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content

Privacy From New Google TOS

Using our Services does not give you ownership of any intellectual property rights in our Services or the content you access. You may not use content from our Services unless you obtain permission from its owner or are otherwise permitted by law.1

Google’s privacy policies explain how we treat your personal data and protect your privacy when you use our Services. By using our Services, you agree that Google can use such data in accordance with our privacy policies.2

Semantic Data

The Semantic Web is a web of data. There is lots of data we all use every day, and it is not part of the web. I can see my bank statements on the web, and my photographs, and I can see my appointments in a calendar. But can I see my photos in a calendar to see what I was doing when I took them? Can I see bank statement lines in a calendar? Why not? Because we don't have a web of data. Because data is controlled by applications, and each application keeps it to itself.Semantic Web Activity, World Wide Web Consortium

Semantic Web and WWW, Not Compatible

The primary technology, RDF, was initially completed in 1999 and the vision for the
Semantic Web
was formalized in 2001.

The primary technology, RDF, was initially completed in 1999 and the vision for the
Semantic Web
was formalized in 2001.

More than a decade later there is still no semantic web.

Why did the semantic web fail?

HTML is often not semantic and syntactically corrupt, so the web is more combative than assistive.

Confusion over data ownership on the web.

Uncertainties of security and liabilities regarding the transmission of data schemas across the web.

Ideas around optimizing data are great and loved, but the web is scary and untrusted.

A successful attempt is around the automated sharing of data between social networking sites.

Semantic
Web
Email

Mail Markup Language is inherently semantic and accessible and the grammatical structure will always be uniform.

Mail Markup Language can be extended by other XML technologies.

There is no confusion around data ownership in email.

Semantic data distribution capabilities already exist in email, such as dynamic distribution lists and monitoring of those lists.